FTC takes safe harbor enforcement action against 12 US corporations

The U.S. Federal Trade Commission recently enforced Safe Harbor rules against twelve U.S. American companies. These companies faced charges of falsely claiming a Safe Harbor certification. Though their certifications had lapsed, the companies still claimed them to be valid.

In order to keep up the certification, companies have to self-certify annually to the U.S. Department of Commerce to comply with the privacy principles established by the EU in order to meet the EU’s adequacy standards.

Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified. As such statements are prohibited anyway, the FTC’s reaction is hardly anything more but an admonishment.

Reaction to recent EU criticisms?

Some experts see this enforcement as a reaction to the EU’s criticisms of the US’s approach to data privacy that arose recently, mainly driven by the Prism affair. In the recent past, national data protection authorities and officials, particularly in Germany, have expressed their concern about the existing framework.

One of the main criticisms was the relatively low number of enforcement actions taken against alleged infringers of Safe Harbor rules. Within the EU, several voices demanded a rethink of Safe Harbor as sufficient to assure the “adequate level of data protection” required by Article 25.1 of the Data Protection Directive (95/46/EC) for countries to which personal data is transferred from within the European Economic Area and called for a termination of the existing Safe Harbor agreements with the U.S.

Following this, in November 2013, the European Commission released a report on data flows to the U.S., containing recommendations to improve the Safe Harbor framework. Among these recommendations are the disclosure of a privacy policy as well as notifications to EU authorities upon complaints being filed with the FTC.

In January 2014, the German Federal Government emphasized in an official statement that an amended Safe Harbor framework should strengthen the rights of citizens and include audit rights for the European data protection authorities.

Why this matters:

The Safe Harbor agreements between the U.S. and the EU are one of the few ways to comply with the EU’s demands for adequate data protection levels in the U.S. and to enable a personal data transfer to the U.S. If the EU rejected Safe Harbor, companies with transatlantic data flows would have to look for alternatives such as the EU Model Clauses. These Model Clauses are however likely to entail additional organisational efforts. In some countries, further obstacles will have to be overcome, such as legal difficulties in Germany when it comes to sub-contracting on the basis of standard contractual clauses in certain cases.

The future will show if and to what extent amendments to the existing Safe Harbor framework are regarded as necessary and if they will be implemented in order to satisfy the EU’s demand for an adequate level of data protection.